Hello there, when I was preparing for SCEA (Sun Certified Enterprise Architect) there were lot of threads that I had google'd around and have some information which I want to share. Hope people who are planning to take SCEA 5 or now known as "Java Enterprise Edition 5 Enterprise Architect Certified Master " or OCMJEA or OCMJEA 5 or Oracle Certified Master will find this post useful.
In addition I will post some articles related to J2ee as and when I use/learn new stuff in this space.

Access control > realm (root or whichever realm you are
using) >Authentication >

(Here I am showing you how to get windows desktop sso and in
case it doesn’t work for some reason it will fall back to web login where openam login screen will still allow you to
login with user id password) If you just want windows desktop sso this solution will still work just don’t
use “ldapService” module in authentication chain below.

1. You can create another module for Active Directory
service as shown below and let’s call it as “DataStore”. (Here we assume you
have already configured active directory)

2. Create new module instance of type windows
desktop sso

Now click on your windowsDesktopSSO module
instance and configure with your keytab files. (How to generate keytab files
is a separate topic. Here I am assuming you have some knowledge of it already)

Now still on the same page Access control > realm (root or whichever realm you are using) >Authentication

The OpenAM IDP returns a “401” authorization error to the
browser. Each browser responds differently to this 401. What we want is for the
browser to attempt authorization with the Kerberos data.

Internet Explorer

By default IE will automatically send your logged-on Windows
credentials only to Intranet web sites. The OpenAM IDP can be manually added to
the trusted list of Intranet sites until we can engage systems engineering to
set it up as a web site that can be automatically recognized as Intranet (and
therefore trusted).

Chrome uses the same internet settings as IE, so once
IE works, Chrome works too. To confirm this, click Settings, then type network
into the search box. Click the “Change Proxy Settings” button. You should see
the same Internet Explorer dialog.

Configuring FireFox for sso with OpenAm

When Firefox gets the 401, it can be configured to fall
back to a negotiated authentication protocol that achieves SSO. Firefox must be
configured to trust the OpenAM IDP for this negotiation to be successful. Launch
Firefox, and in the address bar, type about:config

Click the “I’ll be careful” button. In the Search box, type network.negotiate to filter the
configurations to only the network negotiation options. Change two values.
Both values will be the same. Use the appropriate IDP for the environment you
want to test in.

(1)network.negotiate-auth.delegation-uris

(2)network.negotiate-auth.trusted-uris

Note: If you have
more than one URL that you need to add you can add a COMA SEPARATED LIST in
firefox. (For this example I will consider another idp say idp.xyz.com)

In order to make Firefox send the Kerberos ticket you can
also use about:config to set

network.automatic-ntlm-auth.trusted-uris

With this configuration your windows desktop SSO setup should work.

If you liked this article or have suggestion or correction please post your valuable comments.

The .pfx file extension most often indicates a Personal
Information Exchange file, most frequently used on a Windows operating system or .NET framework.

To get a signed cert we need the following

Step1. Generate a Key pair using Keytool

Step2. Generate a CSR (Cert Signing Request) for the
Keys you generated in step1.

(Read more for to find what CSR contains
http://en.wikipedia.org/wiki/Certificate_signing_request)

Step3: Send the CSR file to CA (Certifying Authority)
like Verisign or Digicert or Thwart.

Step4: Import the signed.Once you receive the signed cert from CA which
may be a .p7b (PKCS #7 Certificate) it will have 3 certs within it

-
your cert generated in step1 which is signed

- CA
root cert

- CA
intermediate cert

Step5: Now you need to add back the signed cert sent by
CA.This process involves updating your keystore with new signed public key. Your private key will still be the same. Since
you are adding the signed public key we also need to add CA root cert and CA
intermediate cert. I will explain below.

secret
- I used this as both store password and cert password. you can use different
strings

validity
- 1825 days- 5 years

Rest
is all obvious which tells what algorithm, key size (use 2048 or higher for
better security) and what your company name is.

CN=*.xyz.com
==> Tells that this cert is applicable for all url’s that end with *.xyz.com
assuming in your company you have url’s like app1.xyz.com, app2.xyz.com,
app3.xyz.com to access your application.

Now if you list the contents of Key store

keytool -list -v -keystore my_java_keystore.jks
-storepass secret

NOTE: If you have both public/private key entry after
running key tool you will see

Remember this file will only have your public key and
some info about your organization. You never will or should share private key.

Now send this xyz_cert_signing_req.csr to CA (certifying
authority) like verisign or digicert. (Yes you need to pay to get a signed cert
:) )

Step4: This is
very important step. Here if you try to import just your signed cert you will
get error.

Follow these steps:

-Once you receive your signed cert from CA, let’s
call this as xyz_cert_signing_req.p7b.

-Double click the file and you should see something
similar (yourCA name could be different
)

Now click on each cert (i.e. *.xyz.com, Digicert High
Assurance CA-3, Digicert High Assurance EV Root CA) and a popup launches as
shown below and now you should be able to save each cert public key separately,
Choose Base-64 encoded X.509 (.CER) format when saving.

Certificate export Wizard

Let’s call these exported cert’s as

RootCA.cer

HighAssuranceIntermediateCA3.cer

xyz_cert_signing.cer

If you open them in text editor you will see something
like

-----BEGIN CERTIFICATE-----

MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs

…..

….

-----END CERTIFICATE-----

Now combine the three * .cer files in to one file (You
can manually copy or use a script)

Let’s call this as xyz_cert_signing_combine.txt

This combined file
will have all 3 certs (root,intermediate and your xyz_cert_signing.cer)
contents

-----BEGIN CERTIFICATE-----

Contents of RootCA.cerhere

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

Contents of HighAssuranceIntermediateCA3.cerhere

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

Contents of xyz_cert_signing.cer
here

-----END CERTIFICATE-----

STEP5: Now import this signed public key along
with its root, intermediate cert too your key store.

Now if you list your keystore you will see root cert,
intermediate cert and your signed public key sitting along with your private
key.

If some other app asks your signed public key you can send
them xyz_cert_signing_req.p7b in which case they will extract root cert,
intermediate cert and your signed public key. However if they want to install
to the keystore , they may have to combine all 3 keys like I explained and
install it differently

(NOTE: The keypass and –trustcacerts is not required as
we are not updating existing public-private key instead just adding a public
key. It makes sense as without the root ca cert and intermediate cert there is
no way the other app can trust if your public key is signed by the right
authority.)